TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Personally Identifiable Information (PII): What It Is and Why It Matters
Legal Compliance

Personally Identifiable Information (PII): What It Is and Why It Matters

Learn what personally identifiable information (PII) is, what qualifies as PII under major privacy laws, and how to protect it. Practical guide for businesses.

TermsBox Team|April 2, 202612 min read

Personally identifiable information, commonly known as PII, refers to any data that can be used to identify a specific individual. Understanding what counts as personally identifiable information, how different laws define it, and what obligations businesses have to protect it is fundamental to compliance with virtually every privacy regulation in force today.

This guide explains PII categories, how major privacy laws treat personally identifiable data, the practical steps businesses must take to protect it, and what happens when protection fails. This content is for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance on your specific situation.

What Is Personally Identifiable Information?

Personally identifiable information is any data element that can identify, contact, or locate a specific person, either directly or when combined with other available data. The concept is central to every data protection law, though different jurisdictions use different terminology and draw slightly different boundaries.

The US National Institute of Standards and Technology (NIST) defines PII as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity." The key word is "trace." If data can lead back to a specific person, it is personally identifiable.

Direct identifiers vs. indirect identifiers

PII falls into two broad categories:

Direct identifiers can identify a person on their own without any additional context:

  • Full name
  • Social Security number or national ID number
  • Passport or driver's license number
  • Email address
  • Phone number
  • Biometric data (fingerprints, facial recognition data, retinal scans)
  • Financial account numbers

Indirect identifiers (also called quasi-identifiers) cannot identify a person alone but can do so when combined with other data points:

  • Date of birth
  • Zip code or postal code
  • Gender
  • Race or ethnicity
  • Job title and employer
  • Education history
  • Device identifiers and IP addresses (in some contexts)

Research has repeatedly demonstrated the power of indirect identifiers. A widely cited study by Dr. Latanya Sweeney showed that 87% of the US population could be uniquely identified using only three data points: zip code, date of birth, and gender.

How Major Privacy Laws Define Personally Identifiable Information

Different laws use different terms and scopes for what constitutes personally identifiable data. Understanding these distinctions is critical for organizations operating across jurisdictions.

GDPR: "personal data"

The GDPR does not use the term "PII." Instead, Article 4(1) defines "personal data" as any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as:

  • A name
  • An identification number
  • Location data
  • An online identifier (cookies, IP addresses, device IDs)
  • Factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person

The GDPR's definition is intentionally broad. It captures pseudonymized data (data where direct identifiers have been replaced with tokens) if re-identification is possible using additional information. Only truly anonymized data, where re-identification is irreversible, falls outside the regulation.

CCPA/CPRA: "personal information"

The California Consumer Privacy Act and its amendment, the CPRA, use the term "personal information," defined under Section 1798.140(v) as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA's definition explicitly includes:

  • Real name, alias, postal address, unique personal identifier
  • IP address, email address, account name
  • Social Security number, driver's license number, passport number
  • Commercial information (purchasing history, tendencies)
  • Biometric information
  • Internet browsing history, search history
  • Geolocation data
  • Professional or employment-related information
  • Education information
  • Inferences drawn from any of the above to create a consumer profile

Notably, the CCPA extends the definition to household-level data, not just individual-level data.

US federal and sector-specific laws

The United States lacks a single comprehensive federal privacy law. Instead, PII definitions vary across sector-specific statutes:

  • HIPAA protects "protected health information" (PHI): 18 specified identifiers linked to health data
  • FERPA covers "education records" linked to a student's identity
  • GLBA governs "nonpublic personal information" in financial services
  • COPPA restricts collection of personal information from children under 13
  • FTC Act: the Federal Trade Commission uses a broad, context-dependent interpretation of PII in enforcement actions

Each law has its own scope, definitions, and penalties, making US PII compliance inherently complex for organizations operating across sectors.

Categories of Personally Identifiable Information

Understanding PII categories helps organizations classify, protect, and disclose data appropriately. Most frameworks distinguish between sensitive and non-sensitive PII.

Sensitive PII

Sensitive PII carries a higher risk of harm if exposed. It typically includes:

  • Social Security numbers and government-issued ID numbers
  • Financial account numbers (bank accounts, credit cards)
  • Medical and health records
  • Biometric identifiers
  • Login credentials (usernames and passwords)
  • Genetic data
  • Data revealing racial or ethnic origin, political opinions, religious beliefs, or sexual orientation (classified as "special category data" under GDPR Article 9)

Sensitive PII generally requires stronger technical safeguards, more limited access, and explicit consent for processing.

Non-sensitive PII

Non-sensitive PII is data that is generally available or poses lower risk in isolation:

  • Name (without additional context)
  • Business email address
  • Business phone number
  • Job title
  • General geographic location (city, state)

While the risk per data point is lower, non-sensitive PII still requires protection and disclosure. When multiple non-sensitive data points are combined, they can become as identifying as a Social Security number.

How Personally Identifiable Information Applies to Websites

Every website that interacts with users collects some form of personally identifiable information. Understanding exactly what your site collects is the first step toward compliance.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Common PII collection points on websites

Most websites collect PII through several channels, some obvious and some less so:

  • Forms: contact forms, registration forms, checkout pages, newsletter signups all collect names, email addresses, and potentially more
  • Cookies and trackers: analytics tools, advertising pixels, and social media widgets collect IP addresses, device identifiers, browsing behavior, and sometimes location data
  • Server logs: web servers automatically record IP addresses, user agents, referrer URLs, and timestamps for every request
  • Payment processing: e-commerce sites handle credit card numbers, billing addresses, and transaction histories
  • User accounts: authentication systems store email addresses, passwords (hashed), and profile data

Disclosure obligations

Privacy laws require you to tell users what personally identifiable information you collect and why. Your privacy policy must disclose:

  1. The categories of PII you collect
  2. The sources from which you collect it
  3. The purposes for processing
  4. The categories of third parties with whom you share it
  5. The retention periods for each category
  6. The rights users have regarding their data

This is not optional. Under Article 13 of the GDPR, this information must be provided at the time of data collection. Under CCPA Section 1798.100, it must be available before or at the point of collection.

Identifying what your website collects

Many website owners underestimate the PII their site collects because third-party scripts operate invisibly. A single analytics snippet or advertising tag can collect IP addresses, device fingerprints, and behavioral data without appearing in any form field. Automated compliance tools can scan your site to identify all cookies, trackers, and third-party integrations that handle personal data, giving you an accurate picture of your actual data collection footprint.

How to Protect Personally Identifiable Information

Collecting PII creates legal obligations to protect it. The specific measures depend on the sensitivity of the data and the applicable regulations, but several core practices apply universally.

Technical safeguards

  • Encryption: encrypt PII in transit (TLS/HTTPS) and at rest (AES-256 or equivalent). This is not optional for sensitive PII.
  • Access controls: implement role-based access so employees can only view the PII they need for their specific function. Apply the principle of least privilege.
  • Pseudonymization: replace direct identifiers with tokens where possible, storing the mapping separately with restricted access. GDPR Article 32 specifically recommends this technique.
  • Secure authentication: enforce strong passwords, multi-factor authentication, and session management controls for systems that access PII.
  • Data loss prevention: monitor and restrict the movement of PII outside authorized systems and channels.

Organizational measures

  • Data minimization: collect only the PII you genuinely need. If you do not have a documented purpose for a data field, do not collect it.
  • Retention limits: define and enforce maximum retention periods for each category of PII. Delete data when the retention period expires.
  • Employee training: ensure everyone who handles PII understands their obligations and the consequences of mishandling.
  • Vendor management: assess and contractually bind every third-party processor that handles PII on your behalf. Under GDPR Article 28, you must use data processing agreements.
  • Incident response plan: prepare a documented plan for detecting, containing, and reporting PII breaches. Most jurisdictions mandate breach notification within specific timeframes (72 hours under the GDPR per Article 33).

Consent management

For website operators, managing consent for PII collection is a critical compliance requirement. Cookie consent banners must accurately reflect the categories of data being collected and the purposes for processing. A cookie policy should complement your privacy policy by providing detailed information about each tracking technology in use.

PII Breach Notification Requirements

When personally identifiable information is compromised, most jurisdictions require notification to affected individuals and regulators. The requirements vary significantly.

GDPR breach notification

Under Articles 33 and 34 of the GDPR:

  • The supervisory authority must be notified within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in risk to individuals
  • Affected individuals must be notified "without undue delay" when the breach is likely to result in a high risk to their rights and freedoms
  • Notification must include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it

US breach notification

All 50 US states, the District of Columbia, and US territories have enacted breach notification laws with varying requirements. Common elements include:

  • Notification to affected residents (timelines range from 30 to 90 days depending on the state)
  • Notification to the state attorney general (required in most states)
  • Notification to credit reporting agencies when large numbers of records are affected
  • Specific content requirements for notification letters

Under the CCPA, consumers have a private right of action for data breaches involving certain categories of unencrypted PII, with statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Personally Identifiable Information and Your Privacy Policy

Your privacy policy is the primary document where you disclose how you handle personally identifiable information. A privacy policy that fails to accurately describe your PII practices is not just bad practice; it is a regulatory violation.

What your privacy policy must cover regarding PII

At minimum, your privacy policy should address:

  • What PII you collect: list specific categories, not vague generalities. "We collect your name, email address, IP address, and browsing behavior through cookies" is compliant. "We may collect some personal information" is not.
  • How you collect it: distinguish between information users provide directly (forms, account creation) and information collected automatically (cookies, analytics, server logs).
  • Why you collect it: state the legal basis for each processing activity. Under the GDPR, this means identifying whether you rely on consent, legitimate interest, contract performance, or another basis from Article 6.
  • Who you share it with: name the categories of third parties (analytics providers, advertising networks, payment processors) and ideally the specific services.
  • How you protect it: describe the security measures in place, without revealing specifics that could help attackers.
  • How long you keep it: specify retention periods by category.
  • What rights users have: detail the rights available under applicable laws and provide clear instructions for exercising them.

You can generate a comprehensive privacy policy that covers these requirements and keep it hosted at a clean, accessible URL so users and regulators can always find the current version.

Frequently Asked Questions

What qualifies as personally identifiable information?

Personally identifiable information (PII) is any data that can identify a specific individual, either on its own or when combined with other information. Direct identifiers include full names, Social Security numbers, passport numbers, and email addresses. Indirect identifiers include dates of birth, zip codes, and job titles, which can identify someone when combined together.

Is an IP address considered personally identifiable information?

It depends on the jurisdiction. Under the GDPR, IP addresses are explicitly classified as personal data per Recital 30, because they can be used to identify an individual with additional information held by the internet service provider. Under US law, the classification varies by state and context, but the trend is toward treating IP addresses as PII.

What is the difference between PII and personal data under the GDPR?

PII is a term used primarily in US law and focuses on data that directly identifies an individual. Personal data under the GDPR (Article 4(1)) is broader, covering any information relating to an identified or identifiable natural person, including online identifiers, location data, and pseudonymized data if re-identification is possible. All PII is personal data, but not all personal data is PII under the US definition.

What happens if a business fails to protect PII?

Consequences include regulatory fines (up to 20 million EUR or 4% of global turnover under the GDPR, $2,500 to $7,500 per violation under the CCPA), class-action lawsuits, mandatory breach notification costs, reputational damage, and loss of customer trust. The average cost of a data breach in 2024 was $4.88 million according to IBM's Cost of a Data Breach Report.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is Personally Identifiable Information?
  • Direct identifiers vs. indirect identifiers
  • How Major Privacy Laws Define Personally Identifiable Information
  • GDPR: "personal data"
  • CCPA/CPRA: "personal information"
  • US federal and sector-specific laws
  • Categories of Personally Identifiable Information
  • Sensitive PII
  • Non-sensitive PII
  • How Personally Identifiable Information Applies to Websites
  • Common PII collection points on websites
  • Disclosure obligations
  • Identifying what your website collects
  • How to Protect Personally Identifiable Information
  • Technical safeguards
  • Organizational measures
  • Consent management
  • PII Breach Notification Requirements
  • GDPR breach notification
  • US breach notification
  • Personally Identifiable Information and Your Privacy Policy
  • What your privacy policy must cover regarding PII
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.